At 12:39 PM 11/22/2006, Dominique L Bouix wrote:
>On Thu, Nov 16, 2006 at 08:26:48AM -0800, Paul Hoffman wrote:
> > This is still of significant concern. Any news on the status? Has the
> > exploit been verified? Is a patch available?
> >

I do find it interesting that the CVE notice has now been amended to
include mitigating information, which the "reliable researcher" had
neglected to tell anyone about.
"Buffer overflow in ProFTPD 1.3.0 and earlier, when configured to use the
CommandBufferSize directive, allows remote attackers to cause a denial
of service, as demonstrated by vd_proftpd.pm, a "ProFTPD remote
exploit."http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-5815

So my configs and the sample configs are not vulnerable. And very
probably neither are yours.

And, y'know, maybe I've had the wrong definition of remote exploit
all along, but I thought a DOS was an attack, that however did not
compromise a site, however much it might compromise the
_availability_ of the site. So this also seems like even more
back-pedaling as details become known.

>Linux vendors have begun releasing fixes for ProFTPd, including Mandriva and
>Debian. What is unclear is if these fixes are from the ProFTPd core team or
>patched by the vendors themselves.

So my configs and the sample configs are not vulnerable. And
very probably neither are yours.

And, y'know, maybe I've had the wrong definition of remote exploit all
along, but I thought a DOS was an attack, that however did not compromise
a site, however much it might compromise the _availability_ of the
site. So this also seems like even more back-pedaling as details
become known.

Linux vendors have
begun releasing fixes for ProFTPd, including Mandriva and

Debian. What is unclear is if these fixes are from the ProFTPd core team
or

patched by the vendors themselves.

I note that the CVS had a change checked into src/main.c by John
Morrissey only 4 days ago, and having to do very much with
CommandBufferSize.